Wazuh通過在agent伺服器上執行指定的指令,并收集指令結果,可以在一定程度上發現反彈shell的入侵行為。
目前有2中常見的檢測方法,一種是通過netstat輸出網絡連接配接中的shell程序來識别,另一種是通過ps輸出程序資訊中的反彈shell指令特征來識别。
1. 在agent的/var/ossec/etc/ossec.conf檔案末尾增加自定義的指令,并重新開機
<ossec_config>
<localfile>
<log_format>command</log_format>
<command>ps -eo user,pid,cmd</command>
<frequency>60</frequency>
</localfile>
<localfile>
<log_format>command</log_format>
<command>netstat -anptl</command>
<frequency>60</frequency>
</localfile>
</ossec_config>
2. 在wazuh-manager端修改/var/ossec/etc/rules/local_rules.xml,增加自定義規則,并重新開機
<group name="ossec,">
<rule id="100050" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'ps -eo user,pid,cmd'</match>
<description>List of running process.</description>
<group>process_monitor,</group>
</rule>
<rule id="100051" level="15">
<if_sid>100050</if_sid>
<match>bash -i|dash -i|sh -i$|perl -e|perl -MIO -e|php -r|ruby -rsocket|xterm -display|Xnest |xhost |nc -e /bin/|lua -e require|python -c import socket|python -c import subprocess|python -c import os|python -c exec</match>
<description>Reverse shell listening for incoming connections.</description>
<group>process_monitor,attacks</group>
</rule>
<rule id="100052" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'netstat -anptl'</match>
<description>List of listening tcp ports.</description>
<group>process_monitor,</group>
</rule>
<rule id="100053" level="0">
<if_sid>100052</if_sid>
<match>/bash|/dash|/sh|/nc</match>
<description>Find shell processes that have open sockets.</description>
<group>process_monitor,attacks</group>
</rule>
</group>
3. 進行反彈shell,收到告警